North Carolina Attorney General to Congress: Let States Keep Enforcing Data Security Laws
A proposed federal data security law shouldn't stop state efforts to protect consumers from data breaches and identity theft, North Carolina Attorney General Roy Cooper said Tuesday.
"States like North Carolina have been on the frontlines of the battle to protect consumer data for years," Cooper said. "We welcome help from Congress in the fight, but not federal legislation that will tie our hands."
In the midst of efforts to pass a federal law on data security and breach notifications, Cooper has joined a bipartisan group of 46 state and territory attorneys general to urge Congress to maintain states' authority to protect consumers from data breaches and identity theft.
"States must be able to enforce their own laws, and develop new laws that respond to changes in technology and data collection," the attorneys general wrote in a letter to Congress. "We believe that depriving states of enforcement authority would undermine the effectiveness of any national legislation."
A security breach happens when data or records containing personal information, such as Social Security numbers, credit card/bank account numbers or driver's license numbers are lost, stolen or accessed improperly.
According to the NC Department of Justice (NCDOJ), data breaches put consumers at higher risk of identity theft than any other forms of fraud.
Congress' interest in data security follows major data security breaches that have left affected consumers vulnerable to identity theft. In March of this year, the Anthem data breach affected more than 775,000 consumers in North Carolina. Last month, the U.S. Office of Personnel Management announced that a cyberattack on its database compromised personal information of approximately 4 million people.
Under North Carolina laws that Attorney General Cooper pushed for, businesses and state and local governments are REQUIRED to report security breaches to the North Carolina Attorney General's Office and to inform consumers if their personal information has been compromised. A total of 46 other states have similar laws in place.
The North Carolina Attorney General's Office points out that, since 2005, nearly 5,000 data breaches have compromised more than 815 million records containing sensitive information about consumers nationally. That includes more than 2,600 breaches reported to Cooper's office that involved information about more than 7.2 million North Carolina consumers.
Cooper has worked with attorneys general from several other states to investigate major security breaches, including those involving Target, Home Depot and TJ Maxx. Cooper's office has also taken action on smaller breaches affecting only North Carolina consumers, such as when a small business illegally dumps documents containing personal information of its customers or employees. Cooper says that such localized data breaches are unlikely to get as much attention from the federal government, if Congress passes a law that restricts states' ability to act.
"A federal agency cannot be tasked with receiving notification for every breach that occurs in the country. While such notification at the federal level may work for large breaches that affect consumers nationwide, it does not work for breaches that affect one state or one region. Many breaches are significant, but not nationwide in their scope," the attorneys general told Congress. "A better solution to the problem is for state attorneys general to also be given timely notification of breaches, as many state laws already require."
North Carolina businesses and state and local agencies can report a security breach online to the North Carolina Attorney General's Office.